Mobile Menace Monday: You’ve been infected! Or have you?

In the mobile world, most of us have become accustomed to installing apps that display ads in exchange for the them being free. Most ads aren’t too annoying, and for the price it is worth having them displayed. It’s a fair compromise—until the ad servers display something along the lines of “You’ve been INFECTED!!!”.

Ad networks, a scammer’s dream

Just the other day, while my family and I are here in Portugal on holiday (well, holiday for them while I work remotely), my in-law got one of these ads:

Since we are in Portugal, the ads are all in Portuguese. This particular ad roughly translates as:

Active alertYour attention is necessary. Touch to read now.

With the ad covering the whole screen and only a little “x” to close it in the corner, it’s pretty easy to accidentally click the ad which opens your browser to a webpage, which is exactly what happened to my in-law while playing the game, Baby Flash Cards, with our toddler. Suddenly, her browser opened to this scary pop-up:

***!!NOTICE!!!***This Apple iPad is corrupted with virus and the battery was damaged (4) virus that
cause serious damage to your battery and must be removed and corrected immediately.Continue with the instructions to fix the phone. Do not close the window.** Leave for your own risk **

She exclaimed, “Oh no, I’ve got a virus!”

I exclaimed, “Cool, let me see!”

Okay, maybe not that in verbatim but close enough.

Instantly, I knew that she wasn’t really infected, but she was just redirected to a site claiming she was; a scam used to trick users into installing actual malware or agreeing to something potentially worse. Me, being the researcher I am, wanted to figure out what the scammers were up to, so I clicked onward.

Hopping down the scammer’s rabbit hole

The first webpage was on google.com-virusscan.com. Totally legit, right?

Your battery is damaged by (4) virus!We found that 28.1% of your Apple iPad DAMAGED are due to (4) dangerous viruses
received recently visited sites for adults. This will damage your SIM card and
corrupt your contacts, photos, data and applications.If you do not remove the virus now, this device will automatically lock the battery
and the phone will be switched off permanently to prevent further damage caused
by viruses. Here 's what to do (step by step): Step 1: Click on the button below and enter your phone number. Respond to our SMS
and download the free antivirus app Step 2: Run the application to remove all
viruses and repair the battery to 100%. REMEDY FREE NOW

Next up, a fake scanner, my fave!

Important! Viruses can delete personal information, contacts list, and can damage
your SIM card!ATTENTION! YOUR PHONE MAY BE INFECTED. WE RECOMMEND THE FOLLOWING:1. Press the button to continue. 2. Download antivirus software for Android. 3. Make running the antivirus program on your phone to remove potential threatsTO REMOVE

Finally, it ends on this webpage:

Subscribe to you find viruses and spywareYour Android is virus free?44% of Android devices for viruses.Golden App - Protect your phone with antivirus software McSecureIt will be deducted weekly a value of your mobile account.Enter your phone number to access this service

What is McSecure?

The answer to what the scammers are up to lies with the service subscription to an antivirus software called McSecure. Below are screenshots containing what they claim to offer and how to sign up:

Here’s how the scam works. Once a valid phone number is added to that last ad webpage we’ve seen earlier, the scammers use it to send a text message to the victim to confirm a subscription to a “service”. Once subscribed, the victim is charged for the service periodically. Depending on country of origin, the prices and frequency of these charges vary, but usually it’s weekly. These charges are added to the victim’s phone bill and could easily go unnoticed. The only way to stop the charges is for users to either text ‘STOP’ to the number the victim originally confirmed the subscription with, email the company with the mobile number to be removed, or call the company. The best bet is the first option.

So what about the antivirus app promised? According to McSecure, once a user confirms his/her subscription, he/she is supposed to receive another text message containing a download link to the app.

I wasn’t able to confirm this without actually signing up for the subscription service myself, which I decided against. I did do quite a bit of searching for the app though, but came out empty handed. The closest I got was a screenshot from their website.

My guess is that there really isn’t a McSecure app. Why would there be when they are already getting your money? And if there really is an app out there, there’s a good chance it would be classified as a Trojan FakeAV.

Cracking down on ads

In the above example the ad that popped up while playing Baby Flash Cards is just one example of many. If you are one who uses apps with ads even moderately, it’s highly likely you’ll come across one like this yourself. Although the crackdown on shady, ads has been getting stricter. This highlights the fact that more needs to be done to restrict what ads are displayed in mobile apps.

Just back away to safety

The good news is that if you do come across an ad claiming you are infected, even if you accidentally click the ad with scarier warnings, there is no need to panic as you are not really infected. Just back out of the browser, close the ad, and go on with your day. It’s only when you fall for the scammers tricks that trouble arises.

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...